b'Final Audit Report, \xe2\x80\x9cAssessment of NASA\xe2\x80\x99s Certification and Accreditation Process\xe2\x80\x9d\n(Report No. IG-07-035; Assignment No. A-07-009-00)\n\nFISMA requires agencies to report annually on the effectiveness of the agency\xe2\x80\x99s IT\nsecurity program and requires IGs to perform independent evaluations of their agency\xe2\x80\x99s\ninformation security programs and practices. For FY 2007, OMB asked IGs to provide a\nqualitative assessment of their agency\xe2\x80\x99s process for certifying and accrediting IT systems.\nOMB and NASA OCIO requested that we provide, as a part of the FY 2007 FISMA\ncompliance review, an early assessment of NASA\xe2\x80\x99s process for certification and\naccreditation (C&A) of unclassified NASA systems categorized as moderate- and\nhigh-risk impact. Overall, we found that OCIO\xe2\x80\x99s policies and procedures for the C&A\nprocess for unclassified systems are in compliance with FISMA requirements; however,\nthe quality assurance function of the process could be improved. Specifically, we found\ninaccuracies and inconsistencies in C&A documentation for 11 of 13 security assessment\nreports we reviewed. Inaccurate and inconsistent information in the security assessment\nreport reduces the assurance that authorizing officials have the information they need to\nmake a credible, risk-based decision about system accreditation\xe2\x80\x94i.e., whether to\nauthorize operation of an information system. OCIO immediately began taking\ncorrective actions to address our concerns.\n\nWe recommended that OCIO (1) provide formal notice to the contractor and the\ncontracting officer of our findings and take them into consideration with regard to the\ncontract performance metric for independent certification; (2) increase oversight of\ndeliverables provided by contractors by ensuring that security assessment reports are\nreviewed for correctness, completeness, and consistency with established standards; and\n(3) formally remind system personnel, such as system owners, of the importance of\nreviewing and verifying the accuracy of security assessment reports. Management\nconcurred with all three recommendations and management\xe2\x80\x99s comments were responsive.\nAll three recommendations will be closed upon completion and verification of\nmanagement\xe2\x80\x99s corrective action.\n\n\n\nThe memorandum contains NASA Information Technology/Internal Systems Data that is\nnot routinely released under the Freedom of Information Act (FOIA). To submit a FOIA\nrequest, see the online guide.\n\x0c'